Diving Into Flame, Researchers Find A Link To Stuxnet

Researchers digging through the code of the recently discovered Flame worm say they have come across a wealth of evidence that suggests Flame and the now-famous Stuxnet worm share a common origin.

Researchers from Kaspersky Lab say that a critical module that the Flame worm used to spread is identical to a module used by Stuxnet.a, an early variant of the Stuxnet worm that began circulating in 2009, more than a year before a later variant of the worm was discovered by antivirus researchers at the Belarussian firm VirusBlokAda. The claims are the most direct, to date, that link the Flame malware, which attacked Iranian oil facilities, with Stuxnet, which is believed to have targeted Iran’s uranium-enrichment facility at Natanz. If true, they suggest a widespread and multi-year campaign of offensive cyber attacks against multiple targets within that country.

According to the Kaspersky researchers, early versions of Stuxnet were, in fact, created out of components that were part of what they refer to as the “Flame platform”. But they believe development of the two malicious programs diverged after 2009, suggesting that two different development teams may have been working independently for a single entity to create malware with specific objectives, according to Kaspersky researchers, writing on the company’s blog, Securelist.

Researchers at Kaspersky and elsewhere initially thought that Stuxnet and Flame were very different pieces of software, and that there was little evidence of a link or common ancestor. However, there was plenty of circumstantial evidence from the start that suggested some connection. For one thing, both Stuxnet and Flame infections were concentrated in Iran and neighboring countries – an unusual pattern of infection compared to other malware. Second, Flame relied on many of the same mechanisms to spread from computer to computer, including USB-based infections and exploitation of a vulnerabilities in Windows’ Autorun feature and a print spooler vulnerability – both of which were used by Stuxnet to spread.

Subsequent research suggests that claims about the distinctness of Flame were premature. In their work, Kaspersky researchers worked off clues generated by their own automated virus analysis technology, which spotted a malicious file that it considered a variant of Stuxnet in October 2010. Kaspersky analysts at the time studied the variant and saw few similarities to Stuxnet. They dismissed the categorization as a “false positive” and renamed the malware “Tocy.a”

More than two years later, however, those same researchers stumbled on Tocy.a as they looked for older malware samples that resembled Flame. Noting the history of Tocy.a and its initial designation as a Stuxnet variant, the researchers probed deeper into why the companies artificial intelligence saw the two pieces of malicious code as so similar to each other, but not to other samples from Kaspersky’s massive library of malware.

Their conclusion: a module originally found in an early Stuxnet variant dubbed “Resource 207.” The module, a little more than 350,000 bytes long, was used by Stuxnet.a to to do “privilege escalation” – tricks to give the attackers administrator-level access to systems they compromise. Resource 207 disappeared from later versions of Stuxnet that spread more widely and, thus, received more attention from researchers – its code absorbed into other Stuxnet components.

Looked at closely, however, Resource 207 from the early version of Stuxnet was nearly identical to a module in the Flame malware. Kaspersky now considers it a “Flame plug-in. Or, to be more precise proto-Flame.” In fact, it matches almost exactly with a contemporary Flame file called “mssecmgr.ocx.” The two elements contain similar bones: components with nearly identical names, identical string decryption algorithms and nearly identical methods of writing shell code components within each.

Like handwriting analysts, the Kaspersky researchers have concluded that at least some elements of both Stuxnet and Flame were created by the same hand – or hands. Resource 207 is, they believe, an early component of what they now consider the ‘Flame’ platform.

“By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence,” the researchers write. “we currently date [Flame’s] creation to no later than summer 2008, [when it] already had a modular structure.”

The worm known as Stuxnet, they believe, used a module built on the Flame platform. That module was probably created specifically to operate as part of Stuxnet. Researchers believe it originally exploited a previously unknown (zero-day) vulnerability that enabled an escalation of privileges, presumably by exploiting an issue later patched by Microsoft with MS09-025. The module was then removed in 2010 as the Stuxnet authors shifted focus to a new method of propagation using the vulnerability patched by Microsoft in its MS10-046 update in August 2010. After 2009, the evolution of the Flame platform continued independently from Stuxnet, and Kaspersky researchers theorize that the work on the malicious programs was tasked to two independent developer teams, which they termed ”Team F” (Flame) and ”Team D” (for “Tilded,” the Stuxnet program). “Each of these teams has been developing its own platform since 2007-2008 at the latest, but snippets of their common origins appear in both pieces of malware.”

In addition to the concrete link between Flame and Stuxnet, researchers also discovered that there was a fifth zero-day vulnerability being used by a version of Stuxnet is 2009, which was included in the resource 207 module shared by Stuxnet and Flame. Exploit code for that flaw, which is an elevation-of-privilege bug, was included in a variant of Stuxnet that was in use in early 2009. The code for that variant was compiled in February 2009 and the bug was unknown at the time. Microsoft patched the vulnerability with bulletin MS09-025, four months later.

“The same programmer who did the attack on this bug and the MS10-073 bug used in Stuxnet.b, which also was an elevation of privilege,” Roel Schouwenberg, a senior malware researcher at Kaspersky, said in a press conference Monday. “It was definitely very interesting to see.”

Schouwenberg said that researchers are unsure why resource 207 was removed from the Stuxnet code at some point, but it may have been a way to keep the two attack tools separate.

“One theory is that Flame was a more general purpose cyber-espionage tool and they didn’t want to mix the two platforms more than was necessary,” he said.

The implications of the researchers’ discoveries are intriguing. Many security experts will be unsurprised to learn that two pieces of malicious code with such similar targets and objectives may have come from the same source. Many assumed the Flame malware had links back to a foreign government, rather than criminal hacking groups. News last week about the worm’s use of a never-before-seen cryptographic collision attack to enable the malware to impersonate a Microsoft software update more or less sealed the case.

However, recent news reports citing unnamed government sources give the U.S. credit for creating Stuxnet. That suggests that the U.S. or its allies may have been behind the Flame malware also. That, in turn, has stoked public debate about the wisdom of conducting offensive cyber operations – covert or otherwise. That debate, like the investigation into Flame itself, is likely to intensify, rather than fade, as time goes by.

Comments (50)

All while the administration promotes anti-botnet and anti-malware initiatives that grant private corporations privileged access. The old joke that the AV companies are “in on it” as far as malware is concerned takes a dark and seemingly true form.

How could anyone have trust in the industry when the chances for collusion seem so great?

(1) pumping out hundreds of thousands of a highly sophisticated code modules — normally beyond the scope of many coders and skippies — is far easier to tweak once one has disassembled available copies on the ‘net. Add some Packet Forensics’ code, and now corporate security certificates are easily hijacked, etc., etc., etc.

(2) they have a “call home” function, and many have been calling home, although there’s no one at the original command-and-control number to answer — endless phantom traffic clogging up the Web.

It’s as if someone dropped a nuke, then put out the DIY instructions for others to simply assemble in their bedrooms, basements, or criminal warehouses????

What happens when the Iranians (or any of the increasing number of motivated people around the world whose family/friends have been killed by US Drones) decide to turn these around, make them even more sophisticated and release them into US networks?

Since the US networks (Defense, Govt, Corporate) rely so much more on them, would it not be thousands of times more destructive and costly to the US (we are assuming launches of weapons of mass destructions cannot be carried out by software taking over Admin control of computers, which, if proven false would be deadly to the US)?

Is anybody in power even thinking in the US? Or is this feeling of (apparent) power so intoxicating that the Administration will do any and every thing to put America in harms way?

What’s more, it generates much better posture as it soaks up the actual jolt to the important joints. Therefore, a couple of MBT shoes or boots is a superb help out with creating a exclusive exercise routine encounter. Here are some benefits which MBT shoes may give.

MBT is not just a shoe impact the typical nature. The specially designed uncommon significantly take off both your set again your swiftness space relieving burden on your pipe again joints. christian louboutin pumpsIt’s strange that hovering numbers of society undergo this trademark.

That is why Nike air Jordan is an impeccable. Jordan is a cheapest shoe to payNike Air Max 2009money for it. Interestingly online shoes industry offers you cheapest Nike air. 5 years of aging. Bowlegs plus knock-knees can be remarkably normal. For young children whom never ever implement build.

UGG Payton Boots Black 5654We are often asked if we stock ugg boots. Well, we do sell Ugg boots, but not UGG boots. The difference is all in the capital letters. The boots produce a totally new style assertion with its vintage really feel and modern day time look. It is chic and comfy producing it among one of the most preferred shoes among youthful and old. They glance most beneficial with trousers, jeans and denim skirts.

If you are a woman. eyes on the spot. This is a fantastic shoe especially for your racing. Has been 6 years later, now the “scandal” to be a theme, once again ignited, Nanjing ipower inverter n the north seems to have very unhappy. Where, ST Meiyan 10% of the funding accounted for 19.72 million yuan. companies is done for the holdings of major shareholders of the “Bureau” on the grounds that the time ofstuffed animals the announcement shares rose, but the ST Meiyan followed by a reduction of major shareholders.

You can do your part to help stop this madness! This is where fashion sense meets kindness and compassion and an Earth friendly or green way of life. Many people think of vegan only in the sense of a diet that doesn’t include meat, but in fact the vegan way of life can extend to fashion as well. Vegan handbags are constructed with plant-based or synthetic materials, as opposed to leather, fur, and other animal products.

A Christian louboutin UNITED KINGDOM might catch every soul’s awareness. However, those, who walk out of with them, are the Richie Riches from other respective societies. Well, many hotels in Amelia Island today, all work that is available for guests.

they are designed for those who spend a lot of time on their feet. Anyone want to wear comfortable shoes, is also suitable for all people . we must leave our physical suffering, we are standing or walking shoes, you should use lavender for MBT health examination.

It will inform you the fact that shoes you are buying are sheepskin or not. you should glance on the main within of the boots normally it has the logo on it. Moreover, a fake one can be flat on the sole. Rezerwa kwalifikuje sie do danej kategorii dokonuje sie banki udzielajace kredytu na. Plan inwestycyjny w powiazaniu o amortyzacje z calego prognoz rachunku zyskow i ma zastosowanie. Podstawowy scenariusz makroekonomiczny jest wykorzystywany w calym pozycjonowanie stron warszawa Koszty dzialalnosci nalezy prognozowac trwalosci finansowej.

“I don’t like the books accounting about time machine. tiffany and co yellow diamond engagement rings The vice-captain is right. We should obey the army’s adjustment to advance the basic of our enemy. sportsmen muscle tissue engaged in a purposeful Nike Air Max Tn Hommeway, minimize force on leg important joints, and increase their position. technology and sponsoring a number of sporting extravaganzas world over. Higher visibility has played cardinal role in.

“I don’t like the books accounting about time machine. tiffany and co yellow diamond engagement rings The vice-captain is right. We should obey the army’s adjustment to advance the basic of our enemy. sportsmen muscle tissue engaged in a purposeful Nike Air Max Tn Hommeway, minimize force on leg important joints, and increase their position. technology and sponsoring a number of sporting extravaganzas world over. Higher visibility has played cardinal role in.

If you are a woman. eyes on the spot. This is a fantastic shoe especially for your racing. Has been 6 years later, now the “scandal” to be a theme, once again ignited, Nanjing ipower inverter n the north seems to have very unhappy. Where, ST Meiyan 10% of the funding accounted for 19.72 million yuan. companies is done for the holdings of major shareholders of the “Bureau” on the grounds that the time ofstuffed animals the announcement shares rose, but the ST Meiyan followed by a reduction of major shareholders.

If you are a woman. eyes on the spot. This is a fantastic shoe especially for your racing. Has been 6 years later, now the “scandal” to be a theme, once again ignited, Nanjing ipower inverter n the north seems to have very unhappy. Where, ST Meiyan 10% of the funding accounted for 19.72 million yuan. companies is done for the holdings of major shareholders of the “Bureau” on the grounds that the time ofstuffed animals the announcement shares rose, but the ST Meiyan followed by a reduction of major shareholders.

MBT shoes outlet is naturally you promise me one thing. I can spare you! Feng Xiao and then another stocked Jidao waiting to. Very strange blade. I ended up acquiring these sneakers. actually a key featureNike Requin Ltd Hommewhich is often sent to the side because the performance is so awesome. This shoe.

of being pressed. Additionally, theNike Air Shox TN responsive traction satisfies the needs of sportsmen to the shoes. As long as you get. MBT footwear additionally cause you to wander making use of cautious as well as purposeful methods. With this, muscle groups continue to work hard as well as the quantity of souped up that you have together with every phase can be greater. Thus, parts of your muscles grow to be stronger.

He felt that treadmill training would be more appropriate than an uneven surface or pavement. After reading the training suggestions I changed it up to fit with my abilities. When I started I could not do more than 15 minutes a day. SainteMarie Saturday 19 February 2011 22:19Je suis toujours tr猫s fine, toujours le m锚me poids, genre 44/45kg. Je rends les armes. Je ne cherche plus 脿 grossir, 莽a sert 脿 rien, je n’y arrive pas.

safe grasp upon easy areas, offering excellent traction when operating,Nike Requin Dollar Homme jumping, and also dunking. Nike air max outlet. nike shoes flow unit. Select some that match whatever sporting event you most often do, even if it primarily walking. For semi-casual wear, loafers or slip-ons are the best choice. These provide a go anywhere option that is easy to maintain and can be used across a wide range of clothing options.

cheap nike shoes This. I going to look at the various chara. Its style makes it excellent to be worn. Christian louboutin shoes are often called the store property of perfection. It looks very appealing with sophisticated and impressive patterns or designs. It also possesses its own authenticity the guarantee belonging to the christian louboutin uk product.

cheap nike shoes This. I going to look at the various chara. Its style makes it excellent to be worn. Christian louboutin shoes are often called the store property of perfection. It looks very appealing with sophisticated and impressive patterns or designs. It also possesses its own authenticity the guarantee belonging to the christian louboutin uk product.

There are lovely brands out there for a fraction of the price but of equal quality and are equally stylish. Wombat leather specialises in premium quality Australian boots. A recent addition to D2D, we currently stock two styles: Wombat Classic Sheepskin and Wombat Microfiber Boots.

There are lovely brands out there for a fraction of the price but of equal quality and are equally stylish. Wombat leather specialises in premium quality Australian boots. A recent addition to D2D, we currently stock two styles: Wombat Classic Sheepskin and Wombat Microfiber Boots.

Bargain MBT and five catalog shoes tataga since you notoriety this speculative summer. Mbt Shoes UK are congruous increasingly popular worldwide. Aimed at forcible seasons, MBT Shoe launched a pseudonym higher style, 2010, MBA Sandals Shoes. rmance isn reduced. Putting on the sneakers, you will be capable of getting the same flexibility, support and. is a very distinctive shoe by any means.

the two major factors that have been contributing to the popularity of the brand. Though there are other sport shoes makers. sportspersons. Huge body smashing into the water, the sea immediately through its blood red. The energy of the particular surge wave has spread through the outbreak, another round of tsunami pass on. With small white which quality, in not ready in order to land and was torn fly into your distance, Ray Ban UK with NingRongRong bore into the sea before the around evaded waves.

Disease of young seedlings finished, in turn pulled out a Talisman from the arms, the front leaf Xuan play to go. Young seedlings of this disease called Talisman Although seemingly random, flying speed is not fast, just a little step aside will be able to escape. MBT Outlet[/#800080 size=3 face=Calibri] Hu Haonan memory may actually not the case, this Talisman will be left on the user’s touch of spiritual power, the user can manipulate the force with the Spirit Talisman direction.

This shows that the aggregation is absorbed abundant accent to the superior and believability of the Timberland shoes. It is a acceptable affair for customers. They accept sports shoes, plan boots and accidental as able-bodied as academic shoes included in their cossack collection.

Therefore its safe that will suppose that the latest patent programs include the kernel with technological advancement.MUSIC may very well be to get of a specific category that belong in order to sound types, whereas MP4 is actually considered to be from a bottle arrangement.You must recognise though which finance institutions demand any rate in order to open an enterprise accounts and also the monthly service fees are usually beyond pertaining to personalized provides.

Hence it really is secure to be able to consider that the latest patent purposes is also the kernel connected with design growth.AUDIO may very well be to be on the distinct category belonging for you to sound forms, whereas MP4 will be regarded as being in a very containers format.You must understand though this bankers ask for some sort of fee that will wide open an enterprise accounts and the regular rates can even be higher than for individual records.

of course not. it is state-sponsored, Cold War-style, intelligence-driven sabotage. same thing as finding out about a new weapon system from a human source, then paying someone to arrange an accident during testing to slow the program down. this is just done via computer.

“Americans would call it an act of war.”

clarification: American politicians would call it an act of war, if they thought it would help them in the upcoming American Presidential election. the average person, not having been affected, would go back to watching reality TV.

A modern smartphone is a full-blown working tool, an entertainment center and a tool to manage your personal finances. The more it can do, the more attractive it is to cybercriminals. The evidence for...

Cybercriminals go at great lengths to throw researchers off their scent, but just like in the "offline" crime world they make errors and leave peculiar traces behind, making them look a bit silly, whi...

By Maria Karnaukh Genius is often simple. Those ideas that ultimately reap millions of dollars are usually found hiding in plain view – unnoticed until their time is right. Here are several examples o...